[License-discuss] Reverse Engineering and Open Source Licenses

Thu Mar 5 14:48:20 UTC 2015

Actually there is an excellent reason why distribution is key here.

The LGPL is a copyright license.  Its reasoning is based on the idea
that if you do something otherwise forbidden by copyright, then you're
forced to either follow the license, or be sued for copyright
violation.  But this only works if you do something otherwise
forbidden by copyright.  Receiving a copy of a library is not
forbidden.  Current US precedent says that an API is not covered by
copyright, and therefore programming to the API is allowed.  (There is
a lawsuit between Oracle and Google that potentially could change
this.)  And precedent exists saying that the virtual copy in RAM from
dynamic linking is allowed.  But distribution is covered by copyright
law.

Therefore if you are writing and distributing an application which is
meant to be dynamically linked to an LGPL library, the *only* thing
you typically do which requires copyright permission is to distribute
the library.  No matter what the library author may think of your
actions, until you distribute the library, you do not require
permission.  But once you have, then we're into the question of
whether your actions fell within the permission granted by the license
or not.  And if you and the author of the library cannot reach
agreement, then the disagreement will need to be settled by a court.
Which could rule either way.

So if you want to be cautious, here is what you do.  Do not distribute
*GPL software unless you intend to comply with the author's
understanding of their license.  Which frequently will match the FSF's
understanding.  And they've written a FAQ explaining what that is.  So
play it safe according to that FAQ, and you should be fine.

This is all, of course, according to my understanding of US law.  I
have no idea how different the situation may be in other countries.
And I still am not a lawyer. :-)

On Thu, Mar 5, 2015 at 1:09 AM, Wiedemann, Claus-Peter
<claus-peter.wiedemann at bearingpoint.com> wrote:
>> -----Ursprüngliche Nachricht-----
>> Von: Ben Tilly [mailto:btilly at gmail.com]
>> Gesendet: Donnerstag, 5. März 2015 03:51
>> An: License Discuss
>> Cc: ftf-legal at fsfeurope.org; karen.copenhaver at gmail.com;
>> armijn at tjaldur.nl; Wiedemann, Claus-Peter; Schwegler, Robert
>> Betreff: Re: [License-discuss] Reverse Engineering and Open Source Licenses
>>
> [...]
>>
>> The intended interpretation of the drafters is made clear at
>> https://www.gnu.org/licenses/gpl-faq.html#LGPLStaticVsDynamic.  They
>> distinguish by how the software is distributed.  If you distribute code that
>> dynamically links to an LGPL library that is already present, you have not
>> created a Combined Work.  On the other hand if you distribute the library
>> you will dynamically link to with your code, you *have* created a Combined
>> Work.  There is a grey area where you distribute both, but not at the same
>> time.  My suspicion is that they would at that point distinguish based on
>> whether or not you intend to link them.
>
> I don't think it makes a difference wrt to the "Combined Work" aspect. The fact  that a "Combined Work" or better a "work that uses the Library" is created is independent from the  specific way of distribution. It does not matter if you distribute the library together with the program, or not. If the program needs it to run, it is a "work that uses the Library". Some people think they can "evade" the LGPL obligations for the program (e.g. permit reverse engineering) by not distributing the library. I don't think that works. The reason why the FAQ makes a distinction here is simple. If the library is already present on the user's computer, then one can assume that the user is already in possession of the corresponding source code (which must have been provided earlier together the library).  In this case there is no obligation to provide the source code again. In LGPL V2.1, this is made explicit in section 6e)
> e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.
>
> Best regards
> Claus-Peter (not a lawyer, either)
>
> ________________________________
>  BearingPoint GmbH
> Geschäftsführer: Marcel Nickler (Vorsitzender), Hans-Werner Wurzel (stellv. Vorsitzender), Kiumars Hamidian, Matthias Loebich, Kai Wächter, Dr. Robert Wagner
> Vorsitzender des Aufsichtsrats: Beat Leimbacher
> Sitz: Frankfurt am Main
> Registergericht: Amtsgericht Frankfurt am Main HRB 55490
>
>
> The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.